Skip to main content
WolfSkin0
WolfSkin0
Participant
March 24, 2026

SIGSEGV in libsubstance_sse2_blend.so caused by stack misalignment on material apply

  • March 24, 2026
  • 2 replies
  • 228 views

Environment:

  • Substance 3D Painter 2026 (version 12.0.1 Build 5292 - 5c7d4ababad6d05862324959feb192c9a033dd44) -- native linux build, running with steam linux runtime disabled
  • Arch Linux (Linux vargr 6.19.6-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Wed, 04 Mar 2026 18:24:56 +0000 x86_64 GNU/Linux)
  • AMD Ryzen 9 9950X3D (Zen 5, AVX-512), NVIDIA RTX 3080 (driver 590.48.01), 64 GB RAM

Reproduction:

  1. Open substance painter on linux via steam (launch steam using `steam -compat-force-slr off` if necessary to bypass broken steam runtime)
  2. Load up a model
  3. Apply material like “Fabric Tarpaulin” to model
  4. Watch material visually apply
  5. Program freezes and crashes

Details:

From what I’ve been able to figure out, the faulting thread is a Substance blend worker:

Thread 154 "SubstanceThread" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f0946ffe6c0 (LWP 96974)]
0x00007f2bf156dc10 in ?? () from ./libsubstance_sse2_blend.so

I used GDB to grab the disassembly at the RIP at time of crash:

=> 0x7f2bf156dc10:      movaps 0x8(%rsp),%xmm0
   0x7f2bf156dc15:      movaps 0x18(%rsp),%xmm1
   0x7f2bf156dc1a:      movaps 0x28(%rsp),%xmm2
   0x7f2bf156dc1f:      movaps 0x38(%rsp),%xmm3
   0x7f2bf156dc24:      movaps 0x48(%rsp),%xmm4

RSP at crash: `0x7f1f9dfb06c0` (0 mod 16). The `movaps` loads are at offsets `+0x8`, `+0x18`, etc., so the effective addresses are all 8 mod 16. `movaps` requires 16-byte alignment, thus it faults.

Afaik, the code expects RSP to be 8 mod 16 (i.e. standard state immediately after a `call` as per System V AMD64 ABI), which would place `RSP+0x8` on a 16-byte boundary. Instead RSP is 0 mod 16, meaning something in the call chain shifted alignment by 8 bytes.

Backtrace:

#0  0x00007f424bf6dc10 in ?? () from ./libsubstance_sse2_blend.so
#1  0x00007f424bf027e9 in ?? () from ./libsubstance_sse2_blend.so
#2  0x00007f424bfd2c80 in ?? () from ./libsubstance_sse2_blend.so
#3  0x00007fa15aca597a in start_thread () from /usr/lib/libc.so.6
#4  0x00007fa15ad292bc in __clone3 () from /usr/lib/libc.so.6

Registers:

rax  0x7f7eb1be7880    rbx  0x7f7eb002ecc0    rcx  0x7f7ef4fa9780
rdx  0x1               rsi  0x7f7eb002ecc0    rdi  0x7f7ef4fa86c8
rbp  0x0               rsp  0x7f1f9dfb06c0    rip  0x7f424bf6dc10
r8   0x7fa164df2c60    r9   0x10               r10  0x7f7eb00e4890
r11  0x400             r12  0x7f7ef4fa9780    r13  0x7f7efbfb7230
r14  0x7f7ef4fa8738    r15  0x7fa164de4960

Notes:

This only seems to happen on certain materials. Other materials like “Bandage” are fine, which maps to similar reproductions by others on steam: https://steamcommunity.com/app/4329260/discussions/0/796712966523263676/#c796712966523295000

Replacing all movaps instructions with movups seems to mitigate this issue (on my machine at least). I have a super shoddy patcher script in the gist here: https://gist.github.com/WolfSkin0/6386e4b986c83a818a4fac83eb85d467

      2 replies

      Eric Batut
      Eric Batut
      Participant
      March 27, 2026

      Absolutely stellar bug report, thank you very much for the thorough investigation!

      We have a fix being tested, if it works as expected it should be released in the next bugfix release.

      Cheers!

        S
        Steffen Dünner
        Participant
        March 25, 2026

        Thank you so much for investigating and reporting this!
        It’s exactly what my experience is with Painter 2026 / 12.0.1

        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices